One issue I had with Gobuster and any of the site brute forcing tools like dirbuster/dirb is that they only take one list at a time per command.So to run several lists through them is extremely tedious.

I instead opted to create a wrapper script in Python to call gobuster on multiple lists for me. I used lists that come with the newer Kali upgrades/distros and make for a good start when attacking boxes for practice in labs or CTFs.

In case it isn’t installed the only non Python basic module needed is “sh”

This article is a part of my CCNA course material I use for study that encompasses everything needed to know about IPV6 as a layer 3 protocol to help pass the CCNA v3 exam. It is also a final consolidation of notes on the subject with full video and lab demonstration link provided to help the reader and myself better understand the subject. This will be updated as new information is disseminated.

Why IPV6

IPV6 is the next generation protocol that solves the IPV4 exhaustion problem that is currently being held together by CIDR and NAT as discussed in the article for IPV4. IPV6 like IPV4 has a many similarities but also many new features like new address types that allow for enhanced network communication. For example IPV6 clients can auto generate a Link Local Address to begin talking to each other on the network without admin intervention. With 128bits of address equaling 7038340000000000000♠3.4×1038 (340undecillion) addresses available to ipv6 this is like giving every atom on planet earth its own ip address 3x over. Now to sum up points for knowing everything needed on the CCNA see below.

Who made it

Registration with IANA > RIR(ARIN) > ISP > Your company ——must be made before using an ipv6 routable address/subnet. It will otherwise be dropped at some point in the routing process likely by the ISP or higher authority.

Rules for ease of use:

Abbreviate consecutive quartets of 0s with double colons but only once ie; FE00:0:0:1::56

Review of Hex Numbering

Hex Binary Hex Binary

0 0000 8 1000

1 0001 9 1001

2 0010 A(10) 1010

3 0011 B (11)1011

4 0100 C (12)1100

5 0101 D (13)1101

6 0110 E (14)1110

7 0111 F (15)1111

IPV6 Header:

4 Bytes:

version

class

flow label

payload length

next header

hop limit

32 bytes

source address – 16 bytes

destination address – 16 bytes

How it Works on Cisco Routers

When enabled on the router and on an interface (see below for commands):

enables routing of IPV6 packets

defines ipv6 prefix that will be used on that interface;

adds a connected route to the routing table when the interface is up/up

-Interfaces can have ipv6 link local and global addresses configured and in use on their interfaces with a special ipv6 enable command in the interface subcommand mode. They don’t need ipv6 enabled on the router necessarily

Dual Stack: Terminology used when routers run both ipv4 and ipv6 routing and use a separate Routing table for each

Address Types

Global Routing Prefix:

Closest thing similar to IPv4s classful networks but in this case the company is locked down to using the network mask assigned by the IPV6 authorities so there really is no classes the address block that can be assigned to a company for which can also be addressed to when reaching that company. The prefix should allow the company to basically assign as many addresses as needed and so provides for that many

ipv6 enable ———this will simply enable ipv6 on the interface and generate its link local address. Good for simple WAN link connections since they only need to use link local address to route packets across their network

ipv6 address 2001:0:1:1::1/64—————example of an ipv6 assigned address(DONT forget the double colon syntax at the end of every address;;;Also feel free to remove leading 0s). This will also automatically assign a link local address

ipv6 address 2001:DB8:1111:1::/64 eui-64——example of using the eui method which takes the MAC and insert FFFE in the middle and inverts 7th bit to create the 64 bit host ID

Video(coming soon)

In a home environment I have always used and been able to rely upon Trinity Rescue Kit. If your working in an enterprise environment this won’t work on Domain Accounts but if you for some reason don’t have any access at all to the PC you can at least reset the administrator’s password and get in. If I don’t even need to get in to retrieve any information I would just re-image the PC and not bother getting in but in case you need something here is the tool.

You will get an ISO image and just burn it to CD since it is most likely your PC has a cd player. If not then you will have to make a bootable USB drive with it and boot using USB if your PC doesn’t use a CD player. This tutorial is for use of the CD version but if you need to make a bootable USB drive I like using this little tool called YUMI

Boot into your TRK disc and Choose the Interactive WinPass option and then choose option 1 to select your Windows Installment and list its users.

Type in the name of the user you want to clear a password for and your done!(See video for details)

So we like playing music in the car or wherever we are from our phone using youtube. Now lets instead just download our music before-hand and not use our costly phone’s bandwidth! On top of this we just want to download the audio since it is a much smaller file size and will take up little room.

Tool Needed:

Back to my favorite online video downloader: Youtube-dl – This is our simple command line tool we will run in the command prompt to grab our videos with. I have written a previous post on this on how to use it please check that out on figuring out how it’s used.

This is a quick blogged guide for administrators who need to delete an email from their organization for some reason or another. In my case this was due to a cryptolocker like virus outbreak called Cerber.

The Task: Find the emails and delete them from the system to prevent further incidents from popping up making more work for us because we always have to re-image and physically replace the machines in some cases not to mention user downtime.

First Step:

First we want to be able to locate and identify the emails targeted for deletion. In my case we received the payload from this address: Sharyn.chpdc@rambler.ru (first just want to say .ru its Russian!) we should never open emails like this but users will still go for it. There are several ways to find where the emails went and find out who read them and so on and this is what we will do going off this address.

I’ll use both normally. In many cases if the search involves gathering emails it is easiest for me to just run an E-discovery search and shoot them over into a PST file. In the case of deletions though we want to use the Powershell since it is the only way as of now that I know of to delete emails from the system and user mailboxes in mass action.

-This command first grabs all mailboxes within the Organization then pipes it to our search function using the “|” symbol. In our Search operation we “Searh-Mailbox -Search Query” so here we will then specifcy with the “From:” text to find our matching address. The command then follows up with a “target” mailbox and user to send a report of the results. In my case I’m sending it to my adminuser’s mailbox under the “SearchAndDeleteLog” I created for it.

I was concerned that it worked on also infecting file shares but from what I can see it doesn’t touch them. After having a user infect a computer here in our Network it looks like nothing else has been touched but all the files on her computer displaying messages like this:

Every file basically encrypted until you pay the son of aguns.

Basic Steps on handling this type of problem:

Verify none of your other networked file shares have been infected and run a full virus scan of the shares just to be safe. So far I haven’t heard of Cerber jumping to any networked shares so it keeps things local to the machine which means it is mainly targeting end users. Here is a snip of Code from the above link that leads me to believe it is only keeping things local since it’s the only reference to any directories it makes: “folders”: [ “:\\$recycle.bin\\”,”: \\$windows.~bt\\”, “:\\boot\\”,”: \\drivers\\”, “:\\program files\\”,”: \\program files (x86)\\”, “:\\programdata\\”,”: \\users\\all users\\”, “:\\windows\\”,”\\appdata\\local\\”, “\\appdata\\locallow\\”,”\\appdata\\roaming\\”, “\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”, “\\public\\videos\\sample videos\\”,”\\tor browser\\

Next step is to Burn the infected machine(Just re-image it) Users might ask for the files in which case they can pay the ransom if it’s that important. Something like 2 bit coins or $500 if you pay up before it doubles on you every week. One other thing users have asked me is if they can at least see the files they lost in which case your going to be taking a picture of the computer screen because there’s no safe bets I would take making any kind of digital bridge to that computer(ie: plugging in a usb stick or taking a snapshot to transfer to a usb Stick)

Final step is replace the users PC and restore their files. That is if you back them up!

UPDATE:

Confirmed with Talos Security group that this is not de-cryptable as of yet